[
https://issues.apache.org/jira/browse/AMQ-9388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17785700#comment-17785700
]
ASF subversion and git services commented on AMQ-9388:
------------------------------------------------------
Commit 3013a3ab35a249b46ed6706d66a35f328ede1885 in activemq's branch
refs/heads/main from Christopher L. Shannon (cshannon)
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=3013a3ab3 ]
AMQ-9388 - Exclude activemq-client-jakarta from camel-activemq
The current version of camel pulls in the activemq-client-jakarta jar
which is not necessary as it no longer exists with ActiveMQ 6.0.0
Furthermore the version being pulled in is 5.18.2 which contains a
critical CVE that was fixed in 5.18.3
> camel-activemq transitively pulls in activemq-client-jakarta
> ------------------------------------------------------------
>
> Key: AMQ-9388
> URL: https://issues.apache.org/jira/browse/AMQ-9388
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Reporter: Christopher L. Shannon
> Assignee: Christopher L. Shannon
> Priority: Blocker
> Fix For: 6.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> While reviewing the 6.0.0 release I noticed that the newly added
> {{camel-activemq}} module pulls in {{activemq-client-jakarta}} as a
> transitive dependency. This makes sense since the version used is based on
> ActiveMQ 5.18.2 as 6.0.0 isn't released yet.
> We need to exclude this because with version 6.0.0 this module no longer
> exists so is not needed and secondly the 5.18.2 version has a CVE against it.
> The dependency in the current release is not included in the tar distribution
> but since it is transitively being pulled in with maven if someone has a
> dependency on the apache-activemq pom they will have the jar pulled into
> their build.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
